- From: Ari Luotonen <luotonen@netscape.com>
- Date: Fri, 14 Feb 1997 12:57:39 -0800 (PST)
- To: jg@zorch.w3.org
- Cc: luotonen@netscape.com, wyllys@reston.ans.net, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> Could one or both of you explain what it would be used for? > It would help the rest of us support such a proposal. > Just asserting it would be useful doesn't help us (as a working > group) understand (or understand what problems it would present > that have to be thought about). I'll list some off the top of my head: o one-time password/securID type authentication where a cookie is issued and considered as valid credentials for a certain period of time and then expired o other access control data, e.g. ACL's o being able to track usage patterns without forcing user authentication o being able to customize the view through the proxy o maintaining client state on proxy side that useful and necessary, e.g. o to guarantee that a Java originated connection gets to the same IP address as the Java applet was loaded from (to avoid the DNS spoofing attack) o to guarantee the same proxy route to the origin server, to avoid problems where sites would associate a client cookie with the incoming IP address, and with multiple different proxy routes end up in a situation where client's cookie is considered invalid by the origin server because it came through a different proxy route (different source IP address) The two last subitems I don't mind if HTTP WG proposes some other mechanism to deal with them; however, if we go with Proxy-cookies (which I fully support), this would be a possible solution. Cheers, -- Ari Luotonen * * * Opinions my own, not Netscape's * * * Netscape Communications Corp. ari@netscape.com 501 East Middlefield Road http://home.netscape.com/people/ari/ Mountain View, CA 94043, USA Netscape Proxy Server Development
Received on Friday, 14 February 1997 13:09:30 UTC